(In-) Security of Smartphone AntiVirus and Security Apps

Presented at VB2016, Oct. 6, 2016, 11:30 a.m. (30 minutes).

Today's evil often comes in the form of ransomware, keyloggers, or spyware, against which anti-virus applications are usually an end-user's only means of protection. But current security apps not only scan for malware, they also aid end-users by detecting malicious URLs, scams or phishing attacks. Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs. In this talk, however, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the device to a number of new attack vectors, making the system *more* vulnerable instead of less vulnerable to attacks. In recent research we looked at *Android* security apps from renowned vendors such as *Kaspersky Lab*, *McAfee*, *Androhelm*, *ESET*, *Malwarebytes* and *Avira*. When conducting a study of the apps' security features (anti-virus and privacy protection, device protection, secure web browsing, etc.), we found that a lot of security applications contained critical vulnerabilities. In a simple case, we would have been able to harm the app vendor's business model by upgrading a trial version into a premium one at no charge. In other instances, attackers would be able to harm the end-user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed crypto implementations or through SQL-injections? Yes, we can. On top of all that, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into remote access trojans (RATs) or into ransomware. All our findings were reported to the corresponding security companies. They accepted our findings and fixed the vulnerabilities. There were even major fixes in the internal infrastructure. The goal of this talk is to advise the audience of our findings and outline common pitfalls in the discovered applications. We will furthermore suggest possible fixes, show ways to avoid such critical implementation flaws and how to prevent such exploits in the first place. We hope to reach out to as many security companies as possible who might also be vulnerable to our findings.

Presenters:

  • Stephan Huber - Fraunhofer SIT
    Stephan Huber Stephan Huber is a security researcher at the testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He has found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking. @teamsik
  • Siegfried Rasthofer - Fraunhofer SIT/TU Darmstadt
    Siegfried Rasthofer Siegfried Rasthofer is a fourth year Ph.D. student at the TU Darmstadt (Germany) and Fraunhofer SIT. His main research focus is on applied software security on Android applications. He has developed different tools that combine static and dynamic code analysis for security purposes. He likes to break Android applications and has found various AOSP exploits. Most of his research is published at top tier academic conferences and very recently he started publishing at industry conferences like BlackHat, Virus Bulletin and AVAR. @teamsik

Links:

Similar Presentations: